Oil and Gas Industry Increasingly Hit by Cyber-Attacks: Report

Most of oil and gas industry organizations have seen an increase in successful cyber-attacks over the past 12 months, a recent report from Tripwire, Inc. reveals.

According to the study, which was conducted by Dimensional Research in November 2015, 82 percent of oil and gas industry respondents said their organizations registered an increase in successful cyber-attacks over the past 12 months. Moreover, 53 percent of the respondents said that the rate of cyber-attacks has increased between 50 and 100 percent over the past month.

Tripwire’s study reveals that 21 percent of the respondents have seen an increase of between 20 and 50 percent in successful attacks, 13 percent registered an increase of between 10 and 20 percent, while 11 percent noted an increase of less than 10 percent. 2 percent of the respondents pointed at the number of cyber-attacks being more than double in the past month.

The report also reveals that 69 percent of respondents said they were “not confident” in their organizations’ ability to detect all cyber-attacks. Focused on the cyber-security challenges faced by organizations in the energy sector, the study received responses from over 150 IT professionals in the energy, utilities, and oil and gas industries.

It is important to note, however, that the study did not mention how many of the IT professionals surveyed had any responsibilities or interaction with those who manage the actual control systems in industrial environments. Furthermore, of the many studies and reports covering cyber attacks against industrial organizations, very few examples of successful attacks that have directly impacted control systems have been uncovered. Because a system in a corporate/office encironment may have been inpacted by a threat, it typically does not mean that OT (SCADA/ICS) systems have been compromised.

According to the survey, 72 percent of respondents said that a single executive is responsible for securing both IT and OT environments.

The energy sector has seen a large number of cyber-attacks over the past years, and the Department of Homeland Security says that it is the most attacked industry. Additionally, the sector has been impacted by robust state-sponsored cyber-espionage campaigns, including Trojan.Laziok and Energetic Bear, attacks that can damage physical infrastructure.

However, although cyber threats targeting the electric grid gain attention, the oil and gas industry has not received the same level of scrutiny, Tripwire says.

As Tim Erlin, Director, Security and IT Risk Strategist at Tripwire, notes in a blog post, there are more than 2.3 million miles of pipeline in the United States, meant to connect to a variety of businesses, including refineries and airports. Moreover, with a vast industry of supporting organizations around oil and gas production and distribution, the industry deserves as much attention when it comes to cybersecurity as the electric grid.

According to Erlin, the industry should focus on reducing the number of attacks by eliminating threat actors and by reducing the overall attack surface. Moreover, involved parties should try to reduce the number of successful attacks, through the instantiation of common best practices in attack prevention, and should reduce the number of successful attacks that can be detected.

“The increase in successful attacks should be deeply concerning. Successful attacks could mean that attackers are able to breach a specific security control or that they have been able to get closer to sensitive data using phishing or malware scams that have been detected. It could also mean that attackers are launching more persistent, targeted attacks,” Erlin says.

As noted in a SecurityWeek Feedback Friday in September 2015, the systems of the United States department of Energy were breached more than 150 times between October 2010 and October 2014. In November, a report from MarketsandMarkets revealed that high-profile cyber-attacks targeting the oil and gas industry will result in a growth in security spending from $26.3 billion in 2015 to $33.9 billion by 2020.

Just before Christmas,regional Ukrainian power companies reported that they had suffered outages after outsiders remotely tampered with automatic control system. The country’s security service, the SBU, later published a statement accusing Russian special services of planting malware on the networks of energy firms and flooding their technical support phone lines.

Based on available information to date, ICS security experts believe that Ukraine’s power grid has been targeted in a coordinated attack, but say the malware involved was likely not directly responsible for the power outages.